Exercise - Integrate logs with a Log Analytics workspace
In this exercise, you create a Log Analytics workspace in the Azure portal. You then direct the audit and sign-in log files to your Log Analytics workspace. Finally, you use a workbook template to create a workbook that holds a query report.
In this exercise, you'll:
- Create a Log Analytics workspace.
- Send log files to your Log Analytics workspace.
- Use a workbook template to hold a query report.
- View your saved workbook.
Note
This exercise is optional. If you don't have an Azure account, you can read through the following instructions to understand how to use Log Analytics and workbooks.
If you want to complete this exercise but you don't have an Azure subscription or prefer not to use your own account, you can create a free account before you begin.
Create a Log Analytics workspace
In the Azure portal, select Create a resource.
In the Search box, enter log analytics.
In the results list, select Log Analytics Workspace, and then select Create. Select or enter the following details:
Under Project details, select the subscription to use for your workspace. Select an existing resource group or select Create new to create a new resource group.
Under Instance details, enter a name for the workspace. For this exercise, enter ContosoWorkspace and append the name with several characters to create a unique workspace name. For Region, select the location nearest you.
Select Next : Review + Create >, and then check the settings. The pricing tier is automatically set to Pay-as-you-go and is based on a per-gigabyte (GB) cost.
Select Create.
Send logs to your Log Analytics workspace
To stream the audit and sign-in logs to your Log Analytics workspace:
In the Azure portal, go to your Microsoft Entra instance.
In the left menu under Monitoring, select Diagnostic settings, and then select Add diagnostic setting.
In the Diagnostic setting pane:
- In Diagnostic setting name, enter a name for the setting, like SendToLogAnalytics.
- Under Logs > Categories, select AuditLogs and SignInLogs.
- Under Destination details, select Send to Log Analytics workspace. Select or enter the subscription and Log Analytics workspace to use. For this exercise, select the Log Analytics workspace you created, ContosoWorkspace appended with unique characters.
Select Save.
Use a workbook template to hold a query report
Next, begin with a workbook template to create a workbook that will hold a query report:
In the Azure portal, go to your Log Analytics workspace.
In the left menu under General, select Workbooks.
Select the Default Template tile.
For this exercise, you want to know the most common user event for the past week. In your query editor, paste the following query:
AuditLogs | where TimeGenerated >= ago(7d) | summarize auditCount = count() by OperationName | sort by auditCount desc
In the menu bar, select Run Query, and then select Done editing:
In the menu bar, select Save.
Enter a descriptive name, like Common User Events Last 7 days.
Select or enter the subscription, resource group, and location you want to use. Select Save.
View a saved workbook
To view the workbook you saved, still in your Log Analytics workspace, in the left menu under General, select Workbooks. Look for the workbook tile under Recently modified workbooks.